From owner-freebsd-ipfw Tue Mar 7 0:25:47 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id 5021337BDCF for ; Tue, 7 Mar 2000 00:25:36 -0800 (PST) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id JAA60597; Tue, 7 Mar 2000 09:24:17 +0100 (CET) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200003070824.JAA60597@info.iet.unipi.it> Subject: Re: ipdivert and ethernet bridging In-Reply-To: from Robert Watson at "Mar 7, 2000 00:16:36 am" To: Robert Watson Date: Tue, 7 Mar 2000 09:24:17 +0100 (CET) Cc: Ludo Koren , ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Aha, found it in ip_fw_chk, only the check is done after twiddling the > various parts of the IP header, not before... :-) you are right, the check should be done earlier. I think it does not harm too much to do things like this now (hopefully) because the header is restored afterwards in all cases. Will check this. In an ideal world, the bridging code should call *fw_chk() depending on packet type... cheers luigi > On Mon, 6 Mar 2000, Robert Watson wrote: > > > > > Luigi, > > > > I've been reading through the bridge/ipfw code, and can't seem to find a > > place where eh->ether_type is checked to see if it is ETHERTYPE_IP before > > the firewall rules are evaluated. I was wondering if the check is not > > taking place, or if so, where it takes place? > > > > net/bridge.c: > > ... > > /* > > * before calling the firewall, swap fields the same as IP does. > > * here we assume the pkt is an IP one and the header is > > contiguous > > */ > > eh = mtod(m, struct ether_header *); > > ip = (struct ip *)(eh + 1 ) ; > > NTOHS(ip->ip_len); > > NTOHS(ip->ip_id); > > NTOHS(ip->ip_off); > > ... > > > > Thanks, > > > > Robert N M Watson > > > > robert@fledge.watson.org http://www.watson.org/~robert/ > > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > > TIS Labs at Network Associates, Safeport Network Services > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-ipfw" in the body of the message > > > > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message